Analysis Overview
SHA256
f121a237d7a7ba8a02e7fb76bbc67ac5f09cc0d4621f0b668c72702d9d42c2ea
Threat Level: Known bad
The file 39.xls was found to be: Known bad.
Malicious Activity Summary
Emotet
Process spawned unexpected child process
Suspicious Office macro
Downloads MZ/PE file
Loads dropped DLL
Adds Run key to start application
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-10 10:37
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-10 10:37
Reported
2022-11-10 10:39
Platform
win10v2004-20220901-en
Max time kernel
135s
Max time network
129s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\laIf.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\CbVayXY\\laIf.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgfHPPVT.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\KlituifQjBIVn\\AgfHPPVT.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\39.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KlituifQjBIVn\AgfHPPVT.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CbVayXY\laIf.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bosny.com | udp |
| TH | 203.151.59.20:443 | bosny.com | tcp |
| US | 8.8.8.8:53 | navylin.com | udp |
| CN | 47.92.133.65:80 | navylin.com | tcp |
| US | 20.189.173.15:443 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
| US | 8.8.8.8:53 | asrani.garudaputih.com | udp |
| SG | 51.79.133.157:80 | asrani.garudaputih.com | tcp |
| US | 8.8.8.8:53 | db.rikaz.tech | udp |
| DE | 135.125.230.197:80 | db.rikaz.tech | tcp |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
Files
memory/4396-132-0x00007FF963870000-0x00007FF963880000-memory.dmp
memory/4396-133-0x00007FF963870000-0x00007FF963880000-memory.dmp
memory/4396-134-0x00007FF963870000-0x00007FF963880000-memory.dmp
memory/4396-135-0x00007FF963870000-0x00007FF963880000-memory.dmp
memory/4396-136-0x00007FF963870000-0x00007FF963880000-memory.dmp
memory/4396-137-0x00007FF9617E0000-0x00007FF9617F0000-memory.dmp
memory/4396-138-0x00007FF9617E0000-0x00007FF9617F0000-memory.dmp
memory/636-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | 871ea9a8e1604e3cfc16dd15a61294fa |
| SHA1 | 2139e23aa41026d93489d3849a5229dc0cfb1bad |
| SHA256 | 12fefee2092330f9c0d9e6b30141cbb41c44aa39fbbbe8cdfca9b98b3069881d |
| SHA512 | 61b2b91af02dad955630c64ca9200feca20293af14bd25b9d4d7109dd9662aaed0981ea93cf298c93ef5e2c19d393e67f308464c59deaabd7e254d05091b780a |
C:\Users\Admin\elv1.ooocccxxx
| MD5 | 871ea9a8e1604e3cfc16dd15a61294fa |
| SHA1 | 2139e23aa41026d93489d3849a5229dc0cfb1bad |
| SHA256 | 12fefee2092330f9c0d9e6b30141cbb41c44aa39fbbbe8cdfca9b98b3069881d |
| SHA512 | 61b2b91af02dad955630c64ca9200feca20293af14bd25b9d4d7109dd9662aaed0981ea93cf298c93ef5e2c19d393e67f308464c59deaabd7e254d05091b780a |
memory/636-142-0x0000000002A60000-0x0000000002A8E000-memory.dmp
memory/2456-145-0x0000000000000000-mapping.dmp
C:\Windows\System32\KlituifQjBIVn\AgfHPPVT.dll
| MD5 | 871ea9a8e1604e3cfc16dd15a61294fa |
| SHA1 | 2139e23aa41026d93489d3849a5229dc0cfb1bad |
| SHA256 | 12fefee2092330f9c0d9e6b30141cbb41c44aa39fbbbe8cdfca9b98b3069881d |
| SHA512 | 61b2b91af02dad955630c64ca9200feca20293af14bd25b9d4d7109dd9662aaed0981ea93cf298c93ef5e2c19d393e67f308464c59deaabd7e254d05091b780a |
memory/3260-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv2.ooocccxxx
| MD5 | d8d225350e7e511598ca5e62139ab35b |
| SHA1 | 9840cf8f5a2d06c74ac3986f62c8c951c87c99cc |
| SHA256 | e5d587bc2bffd9e7c7508bc09518aa67ee8c05286ebd09bbbe1323c4fb560966 |
| SHA512 | 751a6bfc41d086e6327b895f2f06bb3fa4653919e1280dc0786fb4ff989304b03baeaee6dc65533870e1653a46979a70e26851893b9e41c146242adf7862307f |
C:\Users\Admin\elv2.ooocccxxx
| MD5 | d8d225350e7e511598ca5e62139ab35b |
| SHA1 | 9840cf8f5a2d06c74ac3986f62c8c951c87c99cc |
| SHA256 | e5d587bc2bffd9e7c7508bc09518aa67ee8c05286ebd09bbbe1323c4fb560966 |
| SHA512 | 751a6bfc41d086e6327b895f2f06bb3fa4653919e1280dc0786fb4ff989304b03baeaee6dc65533870e1653a46979a70e26851893b9e41c146242adf7862307f |
memory/4056-156-0x0000000000000000-mapping.dmp
C:\Windows\System32\CbVayXY\laIf.dll
| MD5 | d8d225350e7e511598ca5e62139ab35b |
| SHA1 | 9840cf8f5a2d06c74ac3986f62c8c951c87c99cc |
| SHA256 | e5d587bc2bffd9e7c7508bc09518aa67ee8c05286ebd09bbbe1323c4fb560966 |
| SHA512 | 751a6bfc41d086e6327b895f2f06bb3fa4653919e1280dc0786fb4ff989304b03baeaee6dc65533870e1653a46979a70e26851893b9e41c146242adf7862307f |
memory/3580-161-0x0000000000000000-mapping.dmp
memory/1104-162-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-10 10:37
Reported
2022-11-10 10:39
Platform
win7-20220812-en
Max time kernel
151s
Max time network
152s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\39.xls
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
/S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QbFGEsunjmq\FsWqqEsyr.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\system32\regsvr32.exe
/S ..\elv2.ooocccxxx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bosny.com | udp |
| TH | 203.151.59.20:443 | bosny.com | tcp |
| US | 8.8.8.8:53 | navylin.com | udp |
| CN | 47.92.133.65:80 | navylin.com | tcp |
| ID | 115.178.55.22:80 | tcp | |
| ID | 115.178.55.22:80 | tcp | |
| SG | 172.105.115.71:8080 | tcp | |
| SG | 172.105.115.71:8080 | tcp | |
| KR | 218.38.121.17:443 | tcp | |
| KR | 218.38.121.17:443 | tcp | |
| BR | 186.250.48.5:443 | tcp | |
| BR | 186.250.48.5:443 | tcp | |
| IN | 103.71.99.57:8080 | tcp | |
| DE | 85.214.67.203:8080 | tcp | |
| FR | 85.25.120.45:8080 | tcp | |
| CN | 139.196.72.155:8080 | tcp | |
| CN | 139.196.72.155:8080 | tcp |
Files
memory/1248-54-0x000000002FED1000-0x000000002FED4000-memory.dmp
memory/1248-55-0x00000000714B1000-0x00000000714B3000-memory.dmp
memory/1248-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1248-57-0x000000007249D000-0x00000000724A8000-memory.dmp
memory/1248-58-0x0000000075351000-0x0000000075353000-memory.dmp
memory/1248-59-0x000000007249D000-0x00000000724A8000-memory.dmp
memory/1520-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | 871ea9a8e1604e3cfc16dd15a61294fa |
| SHA1 | 2139e23aa41026d93489d3849a5229dc0cfb1bad |
| SHA256 | 12fefee2092330f9c0d9e6b30141cbb41c44aa39fbbbe8cdfca9b98b3069881d |
| SHA512 | 61b2b91af02dad955630c64ca9200feca20293af14bd25b9d4d7109dd9662aaed0981ea93cf298c93ef5e2c19d393e67f308464c59deaabd7e254d05091b780a |
\Users\Admin\elv1.ooocccxxx
| MD5 | 871ea9a8e1604e3cfc16dd15a61294fa |
| SHA1 | 2139e23aa41026d93489d3849a5229dc0cfb1bad |
| SHA256 | 12fefee2092330f9c0d9e6b30141cbb41c44aa39fbbbe8cdfca9b98b3069881d |
| SHA512 | 61b2b91af02dad955630c64ca9200feca20293af14bd25b9d4d7109dd9662aaed0981ea93cf298c93ef5e2c19d393e67f308464c59deaabd7e254d05091b780a |
memory/988-64-0x0000000000000000-mapping.dmp
memory/988-65-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp
\Users\Admin\elv1.ooocccxxx
| MD5 | 871ea9a8e1604e3cfc16dd15a61294fa |
| SHA1 | 2139e23aa41026d93489d3849a5229dc0cfb1bad |
| SHA256 | 12fefee2092330f9c0d9e6b30141cbb41c44aa39fbbbe8cdfca9b98b3069881d |
| SHA512 | 61b2b91af02dad955630c64ca9200feca20293af14bd25b9d4d7109dd9662aaed0981ea93cf298c93ef5e2c19d393e67f308464c59deaabd7e254d05091b780a |
memory/988-67-0x0000000000290000-0x00000000002BE000-memory.dmp
memory/1816-70-0x0000000000000000-mapping.dmp
memory/1952-75-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv2.ooocccxxx
| MD5 | d8d225350e7e511598ca5e62139ab35b |
| SHA1 | 9840cf8f5a2d06c74ac3986f62c8c951c87c99cc |
| SHA256 | e5d587bc2bffd9e7c7508bc09518aa67ee8c05286ebd09bbbe1323c4fb560966 |
| SHA512 | 751a6bfc41d086e6327b895f2f06bb3fa4653919e1280dc0786fb4ff989304b03baeaee6dc65533870e1653a46979a70e26851893b9e41c146242adf7862307f |
\Users\Admin\elv2.ooocccxxx
| MD5 | d8d225350e7e511598ca5e62139ab35b |
| SHA1 | 9840cf8f5a2d06c74ac3986f62c8c951c87c99cc |
| SHA256 | e5d587bc2bffd9e7c7508bc09518aa67ee8c05286ebd09bbbe1323c4fb560966 |
| SHA512 | 751a6bfc41d086e6327b895f2f06bb3fa4653919e1280dc0786fb4ff989304b03baeaee6dc65533870e1653a46979a70e26851893b9e41c146242adf7862307f |
memory/1320-79-0x0000000000000000-mapping.dmp
\Users\Admin\elv2.ooocccxxx
| MD5 | d8d225350e7e511598ca5e62139ab35b |
| SHA1 | 9840cf8f5a2d06c74ac3986f62c8c951c87c99cc |
| SHA256 | e5d587bc2bffd9e7c7508bc09518aa67ee8c05286ebd09bbbe1323c4fb560966 |
| SHA512 | 751a6bfc41d086e6327b895f2f06bb3fa4653919e1280dc0786fb4ff989304b03baeaee6dc65533870e1653a46979a70e26851893b9e41c146242adf7862307f |